ZeroTool Workbench

Bcrypt Generator

Generate and verify bcrypt password hashes in your browser. Adjustable cost factor (4–14), Web Worker-powered for a responsive UI. Passwords never leave your device.

100% Client-Side Your data never leaves your browser Free · No Sign-Up
All hashing is done 100% in your browser. Passwords never leave this page.
Estimated time: ~250 ms
4 (fast) 12 (default) 14 (high security)

Related Tools

Hash Generator Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text. Password Generator Generate cryptographically secure passwords. Customize length and character sets with entropy meter. RSA Key Pair Generator Generate RSA key pairs (2048/4096-bit) in PEM or JWK format. 100% client-side — keys never leave your browser. AES Encrypt / Decrypt Encrypt and decrypt text using AES-GCM with a user-supplied password. 100% client-side via Web Crypto API — nothing leaves your browser. htpasswd Generator Generate Apache htpasswd password hashes online. Supports bcrypt (default), MD5 APR1, SHA1, and plaintext. Batch mode. All hashing is 100% client-side — passwords never leave your browser. JSON Formatter Prettify, minify, and validate JSON instantly in your browser.

How to Use

Generate Mode

  1. Enter the plaintext password in the Password field.
  2. Adjust the Cost Factor slider (default: 12). The estimated processing time updates in real time.
  3. Click Generate Hash. The UI stays responsive while the Web Worker computes the result.
  4. Click Copy to copy the hash to your clipboard.

Verify Mode

  1. Switch to the Verify tab.
  2. Enter the plaintext password and the stored bcrypt hash.
  3. Click Verify. The result shows Match or No Match.

Cost Factor Reference

CostApprox. timeUse case
10~60 msHigh-traffic APIs, legacy systems
12~250 msRecommended default for web apps
13~500 msHigher security, moderate traffic
14~1 sHigh-security contexts

Security Notes

  • Never use MD5, SHA-1, or unsalted SHA-256 to hash passwords — they are too fast and vulnerable to precomputed rainbow tables.
  • Bcrypt hashes include the cost factor in the output string, so stored hashes remain verifiable even after you raise the cost factor for new registrations.
  • This tool uses the bcryptjs library — a pure JavaScript port compatible with all bcrypt implementations.

FAQ

What is bcrypt and when should I use it?

Bcrypt is a password-hashing function designed to be slow and computationally expensive, making brute-force attacks impractical. Use it to store user passwords in your database — never store plaintext or fast hashes like MD5/SHA for passwords.

What does the Cost Factor (rounds) control?

The cost factor determines how many iterations of the key derivation function are run. Each increment doubles the computation time. Cost 12 (~250 ms) is the current recommendation for most web apps. Use 14 for higher-security contexts where latency is acceptable.

Why does generating a hash take a few seconds at high cost factors?

That's intentional — bcrypt is designed to be slow. The computational cost that makes hashing slow for you also makes it very slow for attackers trying every possible password. The Web Worker keeps the browser UI responsive while the computation runs.

Is my password sent to a server?

No. All hashing and verification happens entirely in your browser via the bcryptjs library. Nothing is transmitted over the network.

Why does the same password produce a different hash each time?

Bcrypt embeds a random salt in the hash. Each call to Generate produces a unique salt, so two hashes of the same password will look different but both verify correctly against the original password.

What is a valid bcrypt hash format?

A bcrypt hash starts with $2b$ (or $2a$/$2x$/$2y$ for older variants), followed by the cost factor and 53 characters of the combined salt and hash. Example: $2b$12$...